Per-environment Network Management
Murano defines Environment as an isolated group of services. These groups should be completely independent from each other, there should be no possibility of unexpected and unwanted interference between the services of different environments. Security is also a very important topic here: even within a single tenant there may be sensitive scenarios which require to eliminate even theoretical possibilities of eavesdropping, sniffing, traffic intercepting and other malicious attempts of one service towards another, located in different environment. That is why the default behavior for Murano is to place its environments into different networks segments, thus providing isolation at the physical level. However, there may exist different scenarios, requiring different environments to communicate in more tightly-integrated manner. In such scenarios services of different environments may (or even should) be placed within the same network segments, to simplify direct communications between these services.
This specification defines these various scenarios and their support in Murano in more details.
By default, Murano will create a Network (L2-segment) dedicated for each deployed Environment. There will be a subnet (L3 segment) allocated within this Network. The IP-range for this subnet will be unique among other subnets of this tenant. There may be different possible ways of achieving this, by defining different sizes of subnets. The default proposed way is to have class C networks with 24-bit subnet mask. In this case, the first two octets will be fixed (read from a configuration file), the third octet will be managed by Murano, which will pick and assign any available value (i.e. not taken by any other environment of this tenant), and the resulting subnet mask will be 255.255.255.0. This will result in having up to 255 possible environments, each having maximum 252 virtual machine nodes. This constants may be changed in configuration, by choosing different size of the mask in configuration.
The router to which this network will be connected, will be detected automatically: If the tenant has only one router with an external gateway specified, this router will be picked up. If no routers are present, Murano will automatically create one, naming it "MuranoRouter-%tenant_id%" and will uplink this new router to the first found external network. If more then one router is found for the tenant, Murano will try to look for one named "MuranoRouter-%tenant_id%", if such is not found, then will look for any having "murano" keyword in its name, if no such router is found will pick a random one. To reduce the ambiguousity, it is recommended for Cloud Administratorsto pre-create properly-named routers for each tenant they create in the Cloud.
Users will be able to manually specify all the advanced network properties, if they need to. For example, they may choose the environment to be added to some already existing network (in this case, the user will need to select if a new subnet should be created within that network, or pick any existing subnet), or - if a new network creation is preferred - manually specify the router to which this network should be connected. This is considered as an advanced scenario. It will be available to users when the environment is being created. A checkbox in the environment created dialog will be available. If checked, it should lead to an additional dialog step. The checkbox should be unchecked by default.